Annotate

plugins/mod_invites_adhoc.lua @ 12659:c0eea4f6c739

usermanager: Add back temporary is_admin to warn about deprecated API usage Goal: Introduce role-auth with minimal disruption is_admin() is unsafe in a system with per-session permissions, so it has been deprecated. Roll-out approach: 1) First, log a warning when is_admin() is used. It should continue to function normally, backed by the new role API. Nothing is really using per-session authz yet, so there is minimal security concern. The 'strict_deprecate_is_admin' global setting can be set to 'true' to force a hard failure of is_admin() attempts (it will log an error and always return false). 2) In some time (at least 1 week), but possibly longer depending on the number of affected deployments: switch 'strict_deprecate_is_admin' to 'true' by default. It can still be disabled for systems that need it. 3) Further in the future, before the next release, the option will be removed and is_admin() will be permanently disabled.
author Matthew Wild <mwild1@gmail.com>
date Mon, 15 Aug 2022 15:25:07 +0100
parent 12642:9061f9621330
child 12977:74b9e05af71e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
12145
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- XEP-0401: Easy User Onboarding
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local dataforms = require "util.dataforms";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local datetime = require "util.datetime";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local split_jid = require "util.jid".split;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local new_adhoc = module:require("adhoc").new;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 -- Whether local users can invite other users to create an account on this server
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local allow_user_invites = module:get_option_boolean("allow_user_invites", false);
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 -- Who can see and use the contact invite command. It is strongly recommended to
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 -- keep this available to all local users. To allow/disallow invite-registration
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 -- on the server, use the option above instead.
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local allow_contact_invites = module:get_option_boolean("allow_contact_invites", true);
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 12491
diff changeset
15 module:default_permission(allow_user_invites and "prosody:user" or "prosody:admin", ":invite-users");
12145
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local invites;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 if prosody.shutdown then -- COMPAT hack to detect prosodyctl
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 invites = module:depends("invites");
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 end
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 local invite_result_form = dataforms.new({
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 title = "Your invite has been created",
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 name = "url" ;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 var = "landing-url";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 label = "Invite web page";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 desc = "Share this link";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 },
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 name = "uri";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 label = "Invite URI";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 desc = "This alternative link can be opened with some XMPP clients";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 },
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 name = "expire";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 label = "Invite valid until";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 },
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 });
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 -- This is for checking if the specified JID may create invites
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 -- that allow people to register accounts on this host.
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 12491
diff changeset
43 local function may_invite_new_users(context)
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 12491
diff changeset
44 return module:may(":invite-users", context);
12145
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 end
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 module:depends("adhoc");
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 -- This command is available to all local users, even if allow_user_invites = false
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 -- If allow_user_invites is false, creating an invite still works, but the invite will
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 -- not be valid for registration on the current server, only for establishing a roster
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 -- subscription.
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 module:provides("adhoc", new_adhoc("Create new contact invite", "urn:xmpp:invite#invite",
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54 function (_, data)
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 local username, host = split_jid(data.from);
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 if host ~= module.host then
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 return {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 status = "completed";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 error = {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 message = "This command is only available to users of "..module.host;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 };
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62 };
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63 end
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 12491
diff changeset
64 local invite = invites.create_contact(username, may_invite_new_users(data), {
12145
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65 source = data.from
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 });
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67 --TODO: check errors
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 return {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69 status = "completed";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70 form = {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71 layout = invite_result_form;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
72 values = {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73 uri = invite.uri;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
74 url = invite.landing_page;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
75 expire = datetime.datetime(invite.expires);
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 };
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77 };
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
78 };
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79 end, allow_contact_invites and "local_user" or "admin"));
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
80
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
81 -- This is an admin-only command that creates a new invitation suitable for registering
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
82 -- a new account. It does not add the new user to the admin's roster.
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83 module:provides("adhoc", new_adhoc("Create new account invite", "urn:xmpp:invite#create-account",
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 function (_, data)
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
85 local invite = invites.create_account(nil, {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86 source = data.from
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
87 });
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
88 --TODO: check errors
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
89 return {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
90 status = "completed";
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
91 form = {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
92 layout = invite_result_form;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
93 values = {
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
94 uri = invite.uri;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
95 url = invite.landing_page;
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
96 expire = datetime.datetime(invite.expires);
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
97 };
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
98 };
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
99 };
212bac94aedd mod_invites_adhoc: Import from prosody-modules@5001104f0275
Kim Alvefur <zash@zash.se>
parents:
diff changeset
100 end, "admin"));